Hi Patrick, Yes, I tested the dbx enrollment, but with my own data. Please let me try that dbx.
thanks, greg wt., 24 sie 2021 o 14:22 Patrick Rudolph <patrick.rudo...@9elements.com> napisaĆ(a): > > Hi Grzegorz, > I tried this patch, but I cannot enroll the DBX downloaded from here: > https://uefi.org/revocationlistfile > > Is it even possible with current code? Did you test DBX enrollment as well > using the revocation list file? > > Regards, > Patrick > > On Mon, Aug 2, 2021 at 12:47 PM Grzegorz Bernacki <g...@semihalf.com> wrote: >> >> This commits add library, which consist functions to >> enrolll Secure Boot keys and initialize Secure Boot >> default variables. Some of the functions was moved >> from SecureBootConfigImpl.c file. >> >> Signed-off-by: Grzegorz Bernacki <g...@semihalf.com> >> Reviewed-by: Sunny Wang <sunny.w...@arm.com> >> Reviewed-by: Jiewen Yao <jiewen....@intel.com> >> --- >> SecurityPkg/SecurityPkg.dec >> | 4 + >> SecurityPkg/SecurityPkg.dsc >> | 1 + >> >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf >> | 80 ++++ >> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h >> | 134 ++++++ >> >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c >> | 482 ++++++++++++++++++++ >> >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni >> | 16 + >> 6 files changed, 717 insertions(+) >> create mode 100644 >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf >> create mode 100644 >> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h >> create mode 100644 >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c >> create mode 100644 >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni >> >> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec >> index 8f3710e59f..e30c39f321 100644 >> --- a/SecurityPkg/SecurityPkg.dec >> +++ b/SecurityPkg/SecurityPkg.dec >> @@ -91,6 +91,10 @@ >> ## @libraryclass Provides helper functions related to creation/removal >> Secure Boot variables. >> # >> SecureBootVariableLib|Include/Library/SecureBootVariableLib.h >> + >> + ## @libraryclass Provides support to enroll Secure Boot keys. >> + # >> + >> SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h >> [Guids] >> ## Security package token space guid. >> # Include/Guid/SecurityPkgTokenSpace.h >> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc >> index 854f250625..99c227dad2 100644 >> --- a/SecurityPkg/SecurityPkg.dsc >> +++ b/SecurityPkg/SecurityPkg.dsc >> @@ -71,6 +71,7 @@ >> >> TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf >> >> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf >> >> SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf >> + >> SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf >> >> [LibraryClasses.ARM] >> # >> diff --git >> a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf >> >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf >> new file mode 100644 >> index 0000000000..a09abd29ce >> --- /dev/null >> +++ >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf >> @@ -0,0 +1,80 @@ >> +## @file >> +# Provides initialization of Secure Boot keys and databases. >> +# >> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> >> +# Copyright (c) 2021, Semihalf All rights reserved.<BR> >> +# >> +# SPDX-License-Identifier: BSD-2-Clause-Patent >> +# >> +## >> + >> +[Defines] >> + INF_VERSION = 0x00010005 >> + BASE_NAME = SecureBootVariableLib >> + MODULE_UNI_FILE = SecureBootVariableLib.uni >> + FILE_GUID = 18192DD0-9430-45F1-80C7-5C52061CD183 >> + MODULE_TYPE = DXE_DRIVER >> + VERSION_STRING = 1.0 >> + LIBRARY_CLASS = >> SecureBootVariableProvisionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION >> + >> +# >> +# The following information is for reference only and not required by the >> build tools. >> +# >> +# VALID_ARCHITECTURES = IA32 X64 AARCH64 >> +# >> + >> +[Sources] >> + SecureBootVariableProvisionLib.c >> + >> +[Packages] >> + MdePkg/MdePkg.dec >> + MdeModulePkg/MdeModulePkg.dec >> + SecurityPkg/SecurityPkg.dec >> + CryptoPkg/CryptoPkg.dec >> + >> +[LibraryClasses] >> + BaseLib >> + BaseMemoryLib >> + DebugLib >> + MemoryAllocationLib >> + BaseCryptLib >> + DxeServicesLib >> + SecureBootVariableLib >> + >> +[Guids] >> + ## CONSUMES ## Variable:L"SetupMode" >> + ## PRODUCES ## Variable:L"SetupMode" >> + ## CONSUMES ## Variable:L"SecureBoot" >> + ## PRODUCES ## Variable:L"SecureBoot" >> + ## PRODUCES ## Variable:L"PK" >> + ## PRODUCES ## Variable:L"KEK" >> + ## CONSUMES ## Variable:L"PKDefault" >> + ## CONSUMES ## Variable:L"KEKDefault" >> + ## CONSUMES ## Variable:L"dbDefault" >> + ## CONSUMES ## Variable:L"dbxDefault" >> + ## CONSUMES ## Variable:L"dbtDefault" >> + gEfiGlobalVariableGuid >> + >> + ## SOMETIMES_CONSUMES ## Variable:L"DB" >> + ## SOMETIMES_CONSUMES ## Variable:L"DBX" >> + ## SOMETIMES_CONSUMES ## Variable:L"DBT" >> + gEfiImageSecurityDatabaseGuid >> + >> + ## CONSUMES ## Variable:L"SecureBootEnable" >> + ## PRODUCES ## Variable:L"SecureBootEnable" >> + gEfiSecureBootEnableDisableGuid >> + >> + ## CONSUMES ## Variable:L"CustomMode" >> + ## PRODUCES ## Variable:L"CustomMode" >> + gEfiCustomModeEnableGuid >> + >> + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES >> + gEfiCertX509Guid ## CONSUMES >> + gEfiCertPkcs7Guid ## CONSUMES >> + >> + gDefaultPKFileGuid >> + gDefaultKEKFileGuid >> + gDefaultdbFileGuid >> + gDefaultdbxFileGuid >> + gDefaultdbtFileGuid >> + >> diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h >> b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h >> new file mode 100644 >> index 0000000000..ba8009b5cd >> --- /dev/null >> +++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h >> @@ -0,0 +1,134 @@ >> +/** @file >> + Provides a functions to enroll keys based on default values. >> + >> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR> >> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR> >> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> >> +Copyright (c) 2021, Semihalf All rights reserved.<BR> >> +SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ >> +#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ >> + >> +/** >> + Sets the content of the 'db' variable based on 'dbDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime() >> and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbFromDefault ( >> + VOID >> +); >> + >> +/** >> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime() >> and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbxFromDefault ( >> + VOID >> +); >> + >> +/** >> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime() >> and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbtFromDefault ( >> + VOID >> +); >> + >> +/** >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime() >> and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollKEKFromDefault ( >> + VOID >> +); >> + >> +/** >> + Sets the content of the 'PK' variable based on 'PKDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime() >> and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollPKFromDefault ( >> + VOID >> +); >> + >> +/** >> + Initializes PKDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitPKDefault ( >> + IN VOID >> + ); >> + >> +/** >> + Initializes KEKDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitKEKDefault ( >> + IN VOID >> + ); >> + >> +/** >> + Initializes dbDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitDbDefault ( >> + IN VOID >> + ); >> + >> +/** >> + Initializes dbtDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitDbtDefault ( >> + IN VOID >> + ); >> + >> +/** >> + Initializes dbxDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitDbxDefault ( >> + IN VOID >> + ); >> +#endif >> diff --git >> a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c >> >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c >> new file mode 100644 >> index 0000000000..848f7ce929 >> --- /dev/null >> +++ >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c >> @@ -0,0 +1,482 @@ >> +/** @file >> + This library provides functions to set/clear Secure Boot >> + keys and databases. >> + >> + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR> >> + (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR> >> + Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> >> + Copyright (c) 2021, Semihalf All rights reserved.<BR> >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> +**/ >> +#include <Guid/GlobalVariable.h> >> +#include <Guid/AuthenticatedVariableFormat.h> >> +#include <Guid/ImageAuthentication.h> >> +#include <Library/BaseLib.h> >> +#include <Library/BaseMemoryLib.h> >> +#include <Library/DebugLib.h> >> +#include <Library/UefiLib.h> >> +#include <Library/MemoryAllocationLib.h> >> +#include <Library/UefiRuntimeServicesTableLib.h> >> +#include <Library/SecureBootVariableLib.h> >> +#include <Library/SecureBootVariableProvisionLib.h> >> + >> +/** >> + Enroll a key/certificate based on a default variable. >> + >> + @param[in] VariableName The name of the key/database. >> + @param[in] DefaultName The name of the default variable. >> + @param[in] VendorGuid The namespace (ie. vendor GUID) of the >> variable >> + >> + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader. >> + @retval EFI_SUCCESS Successful enrollment. >> + @return Error codes from GetTime () and >> SetVariable (). >> +**/ >> +STATIC >> +EFI_STATUS >> +EnrollFromDefault ( >> + IN CHAR16 *VariableName, >> + IN CHAR16 *DefaultName, >> + IN EFI_GUID *VendorGuid >> + ) >> +{ >> + VOID *Data; >> + UINTN DataSize; >> + EFI_STATUS Status; >> + >> + Status = EFI_SUCCESS; >> + >> + DataSize = 0; >> + Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, >> &DataSize); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, >> Status)); >> + return Status; >> + } >> + >> + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", >> Status)); >> + return Status; >> + } >> + >> + // >> + // Allocate memory for auth variable >> + // >> + Status = gRT->SetVariable ( >> + VariableName, >> + VendorGuid, >> + (EFI_VARIABLE_NON_VOLATILE | >> + EFI_VARIABLE_BOOTSERVICE_ACCESS | >> + EFI_VARIABLE_RUNTIME_ACCESS | >> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), >> + DataSize, >> + Data >> + ); >> + >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, >> VariableName, >> + VendorGuid, Status)); >> + } >> + >> + if (Data != NULL) { >> + FreePool (Data); >> + } >> + >> + return Status; >> +} >> + >> +/** Initializes PKDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitPKDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + // >> + // Check if variable exists, if so do not change it >> + // >> + Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); >> + if (Status == EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", >> EFI_PK_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + // >> + // Variable does not exist, can be initialized >> + // >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", >> EFI_PK_DEFAULT_VARIABLE_NAME)); >> + >> + Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, >> &EfiSig); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", >> EFI_PK_DEFAULT_VARIABLE_NAME)); >> + return Status; >> + } >> + >> + Status = gRT->SetVariable ( >> + EFI_PK_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | >> EFI_VARIABLE_BOOTSERVICE_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", >> EFI_PK_DEFAULT_VARIABLE_NAME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return Status; >> +} >> + >> +/** Initializes KEKDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitKEKDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + // >> + // Check if variable exists, if so do not change it >> + // >> + Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); >> + if (Status == EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", >> EFI_KEK_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + // >> + // Variable does not exist, can be initialized >> + // >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", >> EFI_KEK_DEFAULT_VARIABLE_NAME)); >> + >> + Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, >> &EfiSig); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", >> EFI_KEK_DEFAULT_VARIABLE_NAME)); >> + return Status; >> + } >> + >> + >> + Status = gRT->SetVariable ( >> + EFI_KEK_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | >> EFI_VARIABLE_BOOTSERVICE_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", >> EFI_KEK_DEFAULT_VARIABLE_NAME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return Status; >> +} >> + >> +/** Initializes dbDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitDbDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); >> + if (Status == EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", >> EFI_DB_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", >> EFI_DB_DEFAULT_VARIABLE_NAME)); >> + >> + Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, >> &EfiSig); >> + if (EFI_ERROR (Status)) { >> + return Status; >> + } >> + >> + Status = gRT->SetVariable ( >> + EFI_DB_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | >> EFI_VARIABLE_BOOTSERVICE_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", >> EFI_DB_DEFAULT_VARIABLE_NAME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return Status; >> +} >> + >> +/** Initializes dbxDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitDbxDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + // >> + // Check if variable exists, if so do not change it >> + // >> + Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); >> + if (Status == EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", >> EFI_DBX_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + // >> + // Variable does not exist, can be initialized >> + // >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", >> EFI_DBX_DEFAULT_VARIABLE_NAME)); >> + >> + Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, >> &EfiSig); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", >> EFI_DBX_DEFAULT_VARIABLE_NAME)); >> + return Status; >> + } >> + >> + Status = gRT->SetVariable ( >> + EFI_DBX_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | >> EFI_VARIABLE_BOOTSERVICE_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", >> EFI_DBX_DEFAULT_VARIABLE_NAME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return Status; >> +} >> + >> +/** Initializes dbtDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitDbtDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + // >> + // Check if variable exists, if so do not change it >> + // >> + Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); >> + if (Status == EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", >> EFI_DBT_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + // >> + // Variable does not exist, can be initialized >> + // >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", >> EFI_DBT_DEFAULT_VARIABLE_NAME)); >> + >> + Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, >> &EfiSig); >> + if (EFI_ERROR (Status)) { >> + return Status; >> + } >> + >> + Status = gRT->SetVariable ( >> + EFI_DBT_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | >> EFI_VARIABLE_BOOTSERVICE_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", >> EFI_DBT_DEFAULT_VARIABLE_NAME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return EFI_SUCCESS; >> +} >> + >> +/** >> + Sets the content of the 'db' variable based on 'dbDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTime () >> and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status = EnrollFromDefault ( >> + EFI_IMAGE_SECURITY_DATABASE, >> + EFI_DB_DEFAULT_VARIABLE_NAME, >> + &gEfiImageSecurityDatabaseGuid >> + ); >> + >> + return Status; >> +} >> + >> +/** >> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTime () >> and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbxFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status = EnrollFromDefault ( >> + EFI_IMAGE_SECURITY_DATABASE1, >> + EFI_DBX_DEFAULT_VARIABLE_NAME, >> + &gEfiImageSecurityDatabaseGuid >> + ); >> + >> + return Status; >> +} >> + >> +/** >> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTime () >> and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbtFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status = EnrollFromDefault ( >> + EFI_IMAGE_SECURITY_DATABASE2, >> + EFI_DBT_DEFAULT_VARIABLE_NAME, >> + &gEfiImageSecurityDatabaseGuid); >> + >> + return Status; >> +} >> + >> +/** >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTime () >> and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollKEKFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status = EnrollFromDefault ( >> + EFI_KEY_EXCHANGE_KEY_NAME, >> + EFI_KEK_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid >> + ); >> + >> + return Status; >> +} >> + >> +/** >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable >> content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for >> EFI_VARIABLE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTime () >> and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollPKFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status = EnrollFromDefault ( >> + EFI_PLATFORM_KEY_NAME, >> + EFI_PK_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid >> + ); >> + >> + return Status; >> +} >> diff --git >> a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni >> >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni >> new file mode 100644 >> index 0000000000..68d928ef30 >> --- /dev/null >> +++ >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni >> @@ -0,0 +1,16 @@ >> +// /** @file >> +// >> +// Provides initialization of Secure Boot keys and databases. >> +// >> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> >> +// Copyright (c) 2021, Semihalf All rights reserved.<BR> >> +// >> +// SPDX-License-Identifier: BSD-2-Clause-Patent >> +// >> +// **/ >> + >> + >> +#string STR_MODULE_ABSTRACT #language en-US "Provides functions >> to initialize PK, KEK and databases based on default variables." >> + >> +#string STR_MODULE_DESCRIPTION #language en-US "Provides functions >> to initialize PK, KEK and databases based on default variables." >> + >> -- >> 2.25.1 >> >> >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#79767): https://edk2.groups.io/g/devel/message/79767 Mute This Topic: https://groups.io/mt/84608356/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
